/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008-2021 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
#ifndef OPENSSL_NO_EC
+#include <openssl/evp.h>
#include <openssl/ec.h>
#include <openssl/objects.h>
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
+#include <openssl/bn.h>
+#endif
+
#include "openssl_ec_diffie_hellman.h"
#include "openssl_util.h"
-#include <debug.h>
+#include <utils/debug.h>
typedef struct private_openssl_ec_diffie_hellman_t private_openssl_ec_diffie_hellman_t;
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* EC private (public) key
*/
- EC_KEY *key;
+ EVP_PKEY *key;
/**
* EC group
*/
- const EC_GROUP *ec_group;
-
- /**
- * Other public key
- */
- EC_POINT *pub_key;
+ EC_GROUP *ec_group;
/**
* Shared secret
bool computed;
};
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
/**
- * Convert a chunk to an EC_POINT (which must already exist). The x and y
+ * Convert a chunk to an EC_POINT and set it on the given key. The x and y
* coordinates of the point have to be concatenated in the chunk.
*/
-static bool chunk2ecp(const EC_GROUP *group, chunk_t chunk, EC_POINT *point)
+static bool chunk2ecp(const EC_GROUP *group, chunk_t chunk, EVP_PKEY *key)
{
+ EC_POINT *point = NULL;
+ EC_KEY *pub = NULL;
BN_CTX *ctx;
BIGNUM *x, *y;
bool ret = FALSE;
goto error;
}
- if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+ point = EC_POINT_new(group);
+ if (!point || !EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+ {
+ goto error;
+ }
+
+ if (!EC_POINT_is_on_curve(group, point, ctx))
+ {
+ goto error;
+ }
+
+ pub = EC_KEY_new();
+ if (!pub || !EC_KEY_set_group(pub, group))
+ {
+ goto error;
+ }
+
+ if (EC_KEY_set_public_key(pub, point) != 1)
+ {
+ goto error;
+ }
+
+ if (EVP_PKEY_set1_EC_KEY(key, pub) != 1)
{
goto error;
}
ret = TRUE;
+
error:
+ EC_POINT_clear_free(point);
+ EC_KEY_free(pub);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
/**
- * Convert an EC_POINT to a chunk by concatenating the x and y coordinates of
- * the point. This function allocates memory for the chunk.
+ * Convert a key to a chunk by concatenating the x and y coordinates of
+ * the underlying EC point. This function allocates memory for the chunk.
*/
-static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point,
- chunk_t *chunk, bool x_coordinate_only)
+static bool ecp2chunk(const EC_GROUP *group, EVP_PKEY *key, chunk_t *chunk)
{
+ EC_KEY *ec_key = NULL;
+ const EC_POINT *point;
BN_CTX *ctx;
BIGNUM *x, *y;
bool ret = FALSE;
goto error;
}
- if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
+ ec_key = EVP_PKEY_get1_EC_KEY(key);
+ point = EC_KEY_get0_public_key(ec_key);
+ if (!point || !EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
{
goto error;
}
- if (x_coordinate_only)
- {
- y = NULL;
- }
if (!openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), x, y, chunk))
{
goto error;
}
- ret = TRUE;
+ ret = chunk->len != 0;
error:
+ EC_KEY_free(ec_key);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
return ret;
}
+#endif /* OPENSSL_VERSION_NUMBER < ... */
-/**
- * Compute the shared secret.
- *
- * We cannot use the function ECDH_compute_key() because that returns only the
- * x coordinate of the shared secret point (which is defined, for instance, in
- * 'NIST SP 800-56A').
- * However, we need both coordinates as RFC 4753 says: "The Diffie-Hellman
- * public value is obtained by concatenating the x and y values. The format
- * of the Diffie-Hellman shared secret value is the same as that of the
- * Diffie-Hellman public value."
- */
-static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this,
- chunk_t *shared_secret)
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+ private_openssl_ec_diffie_hellman_t *this, chunk_t value)
{
- const BIGNUM *priv_key;
- EC_POINT *secret = NULL;
- bool x_coordinate_only, ret = FALSE;
+ EVP_PKEY *pub = NULL;
- priv_key = EC_KEY_get0_private_key(this->key);
- if (!priv_key)
+ chunk_clear(&this->shared_secret);
+ this->computed = FALSE;
+
+ if (!diffie_hellman_verify_value(this->group, value))
{
- goto error;
+ return FALSE;
}
- secret = EC_POINT_new(this->ec_group);
- if (!secret)
+ pub = EVP_PKEY_new();
+ if (!pub)
{
goto error;
}
- if (!EC_POINT_mul(this->ec_group, secret, NULL, this->pub_key, priv_key, NULL))
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
+ if (!chunk2ecp(this->ec_group, value, pub))
{
+ DBG1(DBG_LIB, "ECDH public value is malformed");
goto error;
}
+#else
+ /* OpenSSL expects the pubkey in the format specified in section 2.3.4 of
+ * SECG SEC 1, i.e. prefixed with 0x04 to indicate an uncompressed point */
+ value = chunk_cata("cc", chunk_from_chars(0x04), value);
+ if (EVP_PKEY_copy_parameters(pub, this->key) <= 0 ||
+ EVP_PKEY_set1_tls_encodedpoint(pub, value.ptr, value.len) <= 0)
+ {
+ DBG1(DBG_LIB, "ECDH public value is malformed");
+ goto error;
+ }
+#endif
- /*
- * The default setting ecp_x_coordinate_only = TRUE
- * applies the following errata for RFC 4753:
- * http://www.rfc-editor.org/errata_search.php?eid=9
- */
- x_coordinate_only = lib->settings->get_bool(lib->settings,
- "libstrongswan.ecp_x_coordinate_only", TRUE);
- if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only))
+ if (!openssl_compute_shared_key(this->key, pub, &this->shared_secret))
{
+ DBG1(DBG_LIB, "ECDH shared secret computation failed");
goto error;
}
+ this->computed = TRUE;
- ret = TRUE;
error:
- if (secret)
+ EVP_PKEY_free(pub);
+ return this->computed;
+}
+
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+ private_openssl_ec_diffie_hellman_t *this, chunk_t *value)
+{
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL
+ return ecp2chunk(this->ec_group, this->key, value);
+#else
+ chunk_t pub;
+
+ /* OpenSSL returns the pubkey in the format specified in section 2.3.4 of
+ * SECG SEC 1, i.e. prefixed with 0x04 to indicate an uncompressed point */
+ pub.len = EVP_PKEY_get1_tls_encodedpoint(this->key, &pub.ptr);
+ if (pub.len != 0)
{
- EC_POINT_clear_free(secret);
+ *value = chunk_clone(chunk_skip(pub, 1));
+ OPENSSL_free(pub.ptr);
+ return value->len != 0;
}
- return ret;
+ return FALSE;
+#endif
}
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_private_value, bool,
private_openssl_ec_diffie_hellman_t *this, chunk_t value)
{
- if (!chunk2ecp(this->ec_group, value, this->pub_key))
+ EC_KEY *key = NULL;
+ EC_POINT *pub = NULL;
+ BIGNUM *priv = NULL;
+ bool ret = FALSE;
+
+ priv = BN_bin2bn(value.ptr, value.len, NULL);
+ if (!priv)
{
- DBG1(DBG_LIB, "ECDH public value is malformed");
- return;
+ goto error;
}
-
- chunk_free(&this->shared_secret);
-
- if (!compute_shared_key(this, &this->shared_secret)) {
- DBG1(DBG_LIB, "ECDH shared secret computation failed");
- return;
+ pub = EC_POINT_new(this->ec_group);
+ if (!pub)
+ {
+ goto error;
}
+ if (EC_POINT_mul(this->ec_group, pub, priv, NULL, NULL, NULL) != 1)
+ {
+ goto error;
+ }
+ key = EC_KEY_new();
+ if (!key || !EC_KEY_set_group(key, this->ec_group))
+ {
+ goto error;
+ }
+ if (EC_KEY_set_private_key(key, priv) != 1)
+ {
+ goto error;
+ }
+ if (EC_KEY_set_public_key(key, pub) != 1)
+ {
+ goto error;
+ }
+ if (EVP_PKEY_set1_EC_KEY(this->key, key) != 1)
+ {
+ goto error;
+ }
+ ret = TRUE;
- this->computed = TRUE;
-}
-
-METHOD(diffie_hellman_t, get_my_public_value, void,
- private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
-{
- ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
+error:
+ EC_POINT_free(pub);
+ BN_free(priv);
+ EC_KEY_free(key);
+ return ret;
}
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
{
if (!this->computed)
{
- return FAILED;
+ return FALSE;
}
*secret = chunk_clone(this->shared_secret);
- return SUCCESS;
+ return TRUE;
}
METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
METHOD(diffie_hellman_t, destroy, void,
private_openssl_ec_diffie_hellman_t *this)
{
- EC_POINT_clear_free(this->pub_key);
- EC_KEY_free(this->key);
- chunk_free(&this->shared_secret);
+ EC_GROUP_free(this->ec_group);
+ EVP_PKEY_free(this->key);
+ chunk_clear(&this->shared_secret);
free(this);
}
/*
- * Described in header.
+ * Described in header
*/
-openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group)
+int openssl_ecdh_group_to_nid(diffie_hellman_group_t group)
{
- private_openssl_ec_diffie_hellman_t *this;
-
- INIT(this,
- .public.dh = {
- .get_shared_secret = _get_shared_secret,
- .set_other_public_value = _set_other_public_value,
- .get_my_public_value = _get_my_public_value,
- .get_dh_group = _get_dh_group,
- .destroy = _destroy,
- },
- .group = group,
- );
-
switch (group)
{
case ECP_192_BIT:
- this->key = EC_KEY_new_by_curve_name(NID_X9_62_prime192v1);
- break;
+ return NID_X9_62_prime192v1;
case ECP_224_BIT:
- this->key = EC_KEY_new_by_curve_name(NID_secp224r1);
- break;
+ return NID_secp224r1;
case ECP_256_BIT:
- this->key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- break;
+ return NID_X9_62_prime256v1;
case ECP_384_BIT:
- this->key = EC_KEY_new_by_curve_name(NID_secp384r1);
- break;
+ return NID_secp384r1;
case ECP_521_BIT:
- this->key = EC_KEY_new_by_curve_name(NID_secp521r1);
- break;
+ return NID_secp521r1;
+/* added with 1.0.2 */
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ case ECP_224_BP:
+ return NID_brainpoolP224r1;
+ case ECP_256_BP:
+ return NID_brainpoolP256r1;
+ case ECP_384_BP:
+ return NID_brainpoolP384r1;
+ case ECP_512_BP:
+ return NID_brainpoolP512r1;
+#endif
default:
- this->key = NULL;
- break;
+ return 0;
}
+}
- if (!this->key)
+/*
+ * Described in header
+ */
+openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_group_t group)
+{
+ private_openssl_ec_diffie_hellman_t *this;
+ EC_KEY *key = NULL;
+ int curve;
+
+ curve = openssl_ecdh_group_to_nid(group);
+ if (curve)
+ {
+ key = EC_KEY_new_by_curve_name(curve);
+ }
+ if (!key)
{
- free(this);
return NULL;
}
- /* caching the EC group */
- this->ec_group = EC_KEY_get0_group(this->key);
+ INIT(this,
+ .public = {
+ .dh = {
+ .get_shared_secret = _get_shared_secret,
+ .set_other_public_value = _set_other_public_value,
+ .get_my_public_value = _get_my_public_value,
+ .set_private_value = _set_private_value,
+ .get_dh_group = _get_dh_group,
+ .destroy = _destroy,
+ },
+ },
+ .group = group,
+ .ec_group = EC_GROUP_dup(EC_KEY_get0_group(key)),
+ );
- this->pub_key = EC_POINT_new(this->ec_group);
- if (!this->pub_key)
+ /* generate an EC private (public) key */
+ if (!EC_KEY_generate_key(key))
{
- free(this);
+ EC_KEY_free(key);
+ destroy(this);
return NULL;
}
- /* generate an EC private (public) key */
- if (!EC_KEY_generate_key(this->key))
+ this->key = EVP_PKEY_new();
+ if (!this->key || !EVP_PKEY_assign_EC_KEY(this->key, key))
{
- free(this);
+ EC_KEY_free(key);
+ destroy(this);
return NULL;
}
-
return &this->public;
}
-#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_EC */